On Mon, 28 Oct 2002, David T-G wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, all! > > I would like to dump my mysql databases to cold files for separate > backups; we're too cheap to buy the database agent that will do it live. > > I started with > > mysqldump --user=root --password=showtheworld --all-databases > ... > > as I've seen in numerous scripts posted to this list, but of course that > shows the world my DB root password if you happen to run top at the right > time (or are the adventurous type who might run a script to, say, look > for and log any mysql commands). My next step was to > > <create dumpster user with no password> > grant select on *.* to dumpster@localhost > > so that I can run > > mysqldump --user=dumpster --all-databases > ... > > and at least protect all of my writing privs -- but now the DB id of a > user that can obviously read every bit of data in there is also exposed. > > What I need is a way to connect to the database from a cron job without > exposing the password in the environment. What amazes me is that even > confidential databases at large companies are accessed through scripts > with the passwords embedded -- and the scripts are often world-readable! > > Is there anything analagous to an ssh key pair so that only an OS user > connecting with the DB id private key can get in to do the select and run > the mysqldump? Or am I barking up the wrong tree and should I instead do > something else to cleanly and securely back up the databases? >
Hi! See http://www.mysql.com/doc/en/Secure_connections.html and its subsections. I think GRANT ... REQUIRE X509 and x509 certificates could help you. Even then you have expose your password but it won't help a cracker as he doesn't have your certificate. I haven't used this personally, and the documentation is pretty thin on this subject, unfortunately. Best regards, Iikka ****************************************** * Iikka Meriläinen * * E-mail: [EMAIL PROTECTED] * * Vaala, Finland * ****************************************** --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php